Auto Renew LetsEncrypt SSL Certs the ‘Dumb Way’

Over 40 million websites use LetsEncrypt SSL Certs already. Undoubtedly, it has been a great relief for DevOps and site owners to have a little security for their users for free in the form of HTTPS.

Having to go into manually update the 3-month expiry certificates LetsEncrypt generates for you each time can be boring and annoying, especially if you’re managing many domains.

I’m currently manage 5 domains SSL with LetsEncrypt.

Automating the process of renewal when certificates are already generated is priceless, and so, for a second, let’s all wear the ‘Dumb’ DevOps hat, and save our souls with scripts that get the job done for us.


This article assumes these steps have been taken care off already:

  • Server is Ubuntu 16.04 LTS
  • Server is using Nginx
  • LetsEncrypt is installed
  • Certificate for domains is already generatedStandalone approach and activated accordingly and appropriately to work with Nginx.

With the above in mind, we want to have this happening:

  • Run a script which will attempt to autorenew certificates every week. I chose Sundays at 00:00 GMT

I chose the that time because it is within a timeslot where my server generally receives the least t none traffic

To keep running a script each week, we turn to Cron!

This Cron task would do the job:

$ sudo crontab -e

# Run renewal script weekly at 00:00 GMT on Sundays
# If something goes wrong, email me!
0 0 * * 0 /opt/renew-ssl >> /path/to/mylogs/le-renew.log && curl -sm 30<cronjob-name>?c=0_0_*_*_0

Our /opt/renew-ssl script will then look like this:


service nginx stop
sleep 5s
letsencrypt renew
service nginx start

Does it work? Yes.

Is it the most fanciful? No

We sleep 5 seconds to give ample time for the Nginx service to stop. We don’t want a situation where Nginx doesn’t finish shutting down but LetsEncrypt kicks in.

Sleeping 5 seconds is like 450 years in computer’s view of time, which is more than necessary to ensure Nginx is fully stopped

Since I use the standalone approach, to renew certificates, port 80/443 must be available for LetsEncrypt to do its thing. Thus, we stop Nginx.

We wait 5 seconds, then issue the obvious command.

Nginx is then started again.


Does it run?

To check if the script runs, after the 00:00 on Sundays, go check the /path/to/mylogs/le-renew.log file for the latest timestamp of which the file was modified. If it matches a 00:00 GMT, then be happy.

Duh! You could simply open the le-renew.log file to inspect the contents of logs.


Until LetsEncrypt entered, getting SSL Certs for websites didn’t come this easy.

Big thanks to LetsEncrypt for making the web a little safer to browse. Now you can browse your HTTPS-enabled websites, such as and all our client and personal projects, knowing your communication is to a great extent, secured and safe!

Happy browsing!

Related Articles

Back to top button